Privacy Preservation Authentication: Group Secret Handshake with Multiple Groups

Abstract

The technique of group secret handshake (GSH) has been used to help the members affiliated with the same group in achieving private authentication. After executing GSH protocols, the participants affiliated with the group can compute a shared secret key, or generate a public encryption key while the true participants can self-compute their decryption keys. This paper presents a concrete GSH protocol with Multiple Groups. Only a legitimate member can prove that it belongs to a set of legitimate affiliations, but which affiliation it belongs to will not be leaked. The Group Authority can reveal the real identities of the fellows in the proposed scheme after analyzing the flow of communication. The proposed scheme can provide affiliation-hiding and detectability. In addition, it achieves Perfect Forward Secrecy.

1. Introduction

Secret handshakes for identifying users within a group are an efficient mechanism, first introduced by Balfanz et al. [1]. Unlike traditional authentication protocols, secret handshake protocols help two participants affiliated with the same group privately identify each other. Only when these protocols are executed successfully the two participants can authenticate each other. Even if the participants have identified each other, they cannot learn the partner’s details (e.g., the real identity) besides the affiliation information. The secret handshake protocols are also called affiliation-hiding protocols. These protocols can be applied in many scenarios. For example, if a secret agent A wants to authenticate another agent B, then B can conclude whether A is affiliated to the same group only if B is affiliated to that group. Traditionally, two devices execute an ID-based authenticated key exchange to create a session key. However, as pointed out in [2], these protocols are not secure. In contrast, if two devices perform secret handshakes, one party can identify if the other is authorized. Only if both are authorized, then they will establish a shared session key. Anonymous routing can also be achieved using secret handshake protocols [3].

In Balfanz et al.’s scheme, a group manager generates users’ pseudonyms, creates certificates based on the pseudonyms and group secret, and then sends the certificates to the members through an authenticated channel. The group manager generates the certificates for the users just like PKG creates the private keys.

Ideally, a secret handshake protocol should achieve Impersonation Resistance, i.e., a non-group member cannot impersonate a group member to execute the protocol. Moreover, non-group members cannot identify group members (Detection resistance). Traceability should also be provided, i.e., if group members are corrupted, they should be traced.

The concept of group secret handshake (GSH) protocols was introduced in [4]. It also proposed two concrete GSH protocols: an RSA signature-based protocol and a Schnorr signature-based protocol. However, the work in [5,6] by Xu et al., successfully executed attacks in the two GSH schemes. Furthermore, they proposed two new GSH protocols to counter the defined attacks. GSH protocols help the participants of the same groups to authenticate each other. After successfully executing the protocol, the players will generate a shared or public encryption key and their decryption keys [7]. Only honest players can calculate the decryption keys, and each player’s decryption key is different. The scheme in [7] needs only one round, but it does not hold detectability. Moreover, executing this protocol requires O$\left(k\right)$ pairing operations. The schemes in [5,6] require O$\left(k\right)$ multiplication operations, O$\left(k\right)$ exponentiation operations, and 1 pairing operation. In addition, they need two rounds. Xu et al., also proposed the first protocol with semi-trusted group authority in [8]. Most of the existing solutions rely on fully trusted authority; however, in this new protocol, the group authority can trace the corrupted users. Unfortunately, the group authority can not impersonate the current honest group members to run the protocol. This scheme needs four pairings.

This paper proposes a two-round GSH based on ring group signatures for multiple groups. Our major contributions are listed below.

1

Unlike existing affiliation-hiding (AH) protocols in real-world organizations with multiple groups, in our proposed GSH protocol, players from different groups can calculate public encryption and secret decryption keys. When the protocol is executed successfully, a player A cannot identify which group the other party B is affiliated to, but A can learn that B is affiliated to one of the groups. No matter if the protocol is executed successfully, the adversary cannot learn any sensitive information.

2

Our protocol can provide Perfect Forward Secrecy, i.e., the previously generated session keys remain secure even when the participants’ long-term secrets are leaked. Apart from AH property and perfect forward secrecy, this scheme also holds detectability, impersonation resistance, and traceability.

3

We prove that our scheme provides Perfect Forward Secrecy based on a formal security model. We also prove that this new scheme achieves AH property based on a formal privacy model.

The rest of the article is organized into the following sections. Related works and the building blocks are introduced in Section 2 and Section 3. In Section 4, we define the security model and privacy model. In Section 5, we give the details of our GSH protocol along with the security analysis. Section 6 concludes the article.

2. Related Works

To improve the efficiency of the scheme in [1], Castelluccia et al. [9] designed a new SH protocol using public key encryption technology. It is efficient since it is not constructed based on the bilinear map technique. Xu and Yung presented the first two-party secret handshake protocol in [10]. This scheme is designed without a one-time certificate. However, their scheme can only support weak anonymity: k-anonymity [11]. The work in [12] presented two two-party secret handshake protocols. However, it was pointed out by [13] that the protocols do not hold affiliation-hiding property. After Oblivious Signature-Based Envelope (OSBE) was proposed [14], Nasserian and Tsudik presented the ElGamal signature [15] based OSBE scheme [16]. They combined two OSBE schemes to construct a new secret handshake protocol. Zhou et al. [17] pointed out that there exist some attacks in [16] and presented an ElGamal signature-based secret handshake protocol and a DSA [18] signature secret handshake scheme. However, this scheme requires three rounds.

Hoepman [19] presented an SH protocol in which each participant can belong to multiple organizations. The Group Authority (GA) cannot trace the real identities in their schemes according to the communication manuscripts between the two parties. Yamashita and Tanaka [20] also proposed a two-party secret handshake protocol. If the two participants belong to the same organization, they can execute the protocol successfully. However, Ref. [21] found Yamashita and Tanaka’s scheme attackable. That is, the attacks can find that Alice belongs to the groups ${\mathrm{G}}_1,{\mathrm{G}}_2,\dots ,{\mathrm{G}}_n$, even if the attacker does not belong to the same groups ${\mathrm{G}}_1,{\mathrm{G}}_2,\dots ,{\mathrm{G}}_n$.

Ateniese et al. [22] proposed a fuzzy-matched SH protocol based on Fuzzy Identity-Based Encryption technology. However, their scheme does not hold traceability. If the group members are corrupted, GA cannot recover the real identity of the corrupted members. Although a series of secret handshake schemes [23,24,25,26] have been proposed, these schemes did not consider multiple players.

In IoT, a device needs to discover other devices around it. However, some devices have private information. Therefore, the devices must identify each other in a privacy-preserving way. Zhou et al. [27] presented a secret handshake method to help a device identify other devices nearby. Their scheme satisfies sensitive attribute secrecy. In their scheme, the objects holding sensitive attributes form a group. A device concludes if the other holds sensitive information by confirming if they have the same group membership. The proposed scheme can support large-scale information updating. For instance, a dismissed employee cannot access the devices anymore. Therefore, the scheme can provide efficient addition and revocation. Tian et al. [28] proposed a new SH protocol based on blind signatures, which can be used in intelligent transport systems. The scheme can provide publicly traceable property. Specifically, a user’s membership can be deleted publicly, if it uses its certificate more than k times. Their scheme exhibited linkable AH property. Afterwards, they designed an unlinkable SH scheme. Tian et al. [29] constructed a novel scheme SH based on ID-based signature and ID-based encryption technology. Their scheme holds unlinkability and AH for an untrusted group authority. If a member is corrupted, it will be deleted. The malicious members are deleted by using a secret sharing algorithm. Wen et al. [30] constructed an SH scheme that considers multiple attributes. The proposed scheme can be used in multi-keyword search scenarios. Panja et al. [31] proposed an SH scheme that can provide deniability. If a user has executed the protocol, the communication manuscript can prove it, and the users cannot deny it. They designed a deniable secret handshake scheme based on blind signature technology. Chow et al. [32] designed a secret sharing scheme, and they pointed out that their scheme can be used to realize SH since the users who can recover the common secret will have the same AH information. An et al. [33] proposed a lattice-based SH scheme. In their scheme, key exposure is considered. In addition, An et al. [34] also proposed a novel lattice-based SH protocol, which is not designed without one-time certificates. Instead, the users’ certificates can be reused. Based on physical unclonable functions (PUF), Qureshi and Munir [35] designed a novel authenticated key establishment scheme. Lee et al. [36] proposed an anonymous authenticated key exchange protocol based on PUF to achieve efficient user join and exit. Sun et al. [37] constructed an efficient scheme based on realistic tamper-proof devices to achieve key exchange for VANETs. Guo et al. [38] proposed an authenticated key exchange method which holds anonymity for wearable computing environments. Chen and Lee proposed an anonymous key exchange scheme which orients groups based on chaotic maps [39].

3. Building Blocks

As used in this work, we will outline the Bilinear map and the n-BDHE Assumption.

Bilinear map: Assume ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are both multiplicative groups. ${\mathbb{G}}_1$’s generator is $\alpha$. The order of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ is some large prime q.

A bilinear map $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ can provide the properties below:

• Bilinearity: $\widehat{e}({\alpha }^m,{\alpha }^n)=\widehat{e}{(\alpha ,\alpha )}^{mn}$, for all $m,n\in {\mathbb{Z}}_p^{*}$.
• Non-degeneracy: There exist $\omega ,\chi \in {\mathbb{G}}_1$ such that $\widehat{e}(\omega ,\chi )\ne 1$.
• Computability: For any $\omega ,\chi \in {\mathbb{G}}_1$, $\widehat{e}(\omega ,\chi )$ can be efficiently computed.

n-BDHE Assumption [40]: Let ${\alpha }_i={\alpha }^{\left(t^i\right)}\in {\mathbb{G}}_1$. We say an algorithm $\mathcal{E}$ has advantage $\mathrm{Adv}\left(\mathcal{E}\right)$ in solving n-BDHE problem in ${\mathbb{G}}_1$, where

$$\mathrm{Adv}\left(\mathcal{E}\right)=\mathrm{Pr}[\mathcal{E}(\alpha ,\beta ,{\alpha }^t,\dots ,{\alpha }^{\left(t^n\right)},{\alpha }^{\left(t^{n+2}\right)},\dots ,{\alpha }^{\left(t^{2n}\right)})=\widehat{e}{(\alpha ,\beta )}^{t^{n+1}}].$$

The n-BDHE assumption holds, if $\mathrm{Adv}\left(\mathcal{E}\right)$ is negligible for $\mathcal{E}$. Here, $\mathcal{E}$ is a probabilistic polynomial time (PPT) algorithm.

The proposed scheme is designed by using asymmetric group key agreement as given in [41] and the ring group signature technique as given in [42].

4. Models and Definitions

An organization uses the GSH protocol in scenarios where n groups $\{G_1,G_2,\dots ,G_n\}$ working within the organization. An organization authority (OA) manages the groups, while an individual group $G_i$ is managed by a group authority $G{A}_i$. GAs can register and revoke membership. The users in group $G_i$ are referred to as group members of $G_i$. Furthermore, the GSH protocol participants are referred to as players or participants. Moreover, we call the group members legitimate participants. We give the system model in Figure 1.

Definition 1. 

We define the GSH protocol with the following algorithms.

• $\mathtt{Setup}$: The input is a set of security parameters, and the output is public parameters.
• $\mathtt{CreateOrganization}$: Given public parameters, $OA$ outputs ${\mathcal{SK}}_i$, which is the group secret key, and $gp{k}_i$, which is the group public key for $G_i$. It also creates a certificate revocation list. The certificate revocation list is originally public and empty. ${\mathcal{SK}}_i$ and $gp{k}_i$ are sent to $G{A}_i$ through an authenticated private channel.
• $\mathtt{AddUser}$: $G{A}_i$ inputs ${\mathcal{SK}}_i$ and U, and outputs a certificate $\mathtt{cert}$, then sends it to U through an authenticated private channel.
• $\mathtt{Handshake}$: It is an authentication protocol, which is performed by n participants $\{U_1,\dots ,U_n\}$ where $n\ge 2$. We assume $U_i$ is a member of $\mathrm{G}$. Given $U_i$’s certificate and $\mathrm{G}$’s certificate revocation list, $U_i$ aborts or $U_i$ generates the encryption and decryption key pair.
• $\mathtt{RevokeUser}$: $G{A}_i$ revokes U by updating $\mathcal{RL}$. Only GAs can update the certificate revocation list.

4.1. Participants and Notations

Let ${\Pi }_i^t$ present the instance t of $U_i$ with its partner players. ${\mathrm{sid}}_i^t$ denotes the instance ${\Pi }_i^t$’s session identifier. ${\mathrm{sid}}_i^t$ is the concatenation of the messages sent and received by ${\Pi }_i^t$. ${\mathrm{pid}}_i^t$ is a set that contains all the players’ identifiers corresponding to ${\Pi }_i^t$. In ${\mathrm{pid}}_i^t$, according to dictionary order, the identifiers are ordered. The encryption key and decryption key generated by ${\Pi }_i^t$ are represented as ekey${}_i^t$ and dkey${}_i^t$. ${\mathrm{ms}}_i^t$ is the concatenation of all the messages received and sent by ${\Pi }_i^t$. In ${\mathrm{ms}}_i^t$, according to the identifiers’ order, all the messages are sorted in each round and ordered by round. Moreover, we also give the definitions of the notations used in our scheme in

Table 1. List of Notations.

Notation	Definition
$G{M}_i$	group manager for the i-th group
$gp{k}_i$	group public key for the i-th group
$H_1$, $H_2$	cryptographic hash functions
$si{g}_i\left(m_i\right)$	$U_i$’s identity based signature on $m_i$ using its pseudo-ID $I{D}_i$
$V_{RGS}$	ring signature verification algorithm
${\sigma }_i$	the ring signature generated by $U_i$
$(P,Q)$	encryption key
$z_i$	decryption key
m	a plaintext
c	the ciphertext for m
${\gamma }_i$	the issuer secret key
$({\xi }_i,{\zeta }_i)$	the opener secret key

.

Definition 2 (Accepting). 

The instance ${\Pi }_i^t$ has accepted if it has ${\mathrm{ekey}}_i^t(\ne null)$, ${\mathrm{dkey}}_i^t(\ne null)$, ${\mathrm{pid}}_i^t$, and ${\mathrm{sid}}_i^t$.

Definition 3 (Partnering). 

The instances ${\Pi }_i^t$ and ${\Pi }_j^s$ (where $i\ne j$) are partnered iff (a) they have accepted; (b) ${\mathrm{pid}}_i^t$ = ${\mathrm{pid}}_j^s$; and (c) ${\mathrm{sid}}_i^t$ = ${\mathrm{sid}}_j^s$.

Definition 4. 

A GSH scheme is correct if, assuming all certificates, $\mathcal{SK}$, and $\mathcal{RL}$ are generated by executing the algorithms given earlier (except $\mathtt{Handshake}$). For any instance ${\Pi }_i^t$ and any of ${\Pi }_i^t$’s partners ${\Pi }_j^s$, whenever ${\Pi }_i^t$ has accepted for any message $m\in {\{0,1\}}^{\tau }$, it holds that $D(E(m,eke{y}_j^s),dke{y}_i^t)=m$ and $D(E(m,eke{y}_i^t),dke{y}_j^s)=m$.

4.2. Privacy Model

In this work, we define the privacy model as a game. This game is between an adversary $\mathcal{A}$ and challenger ${\mathcal{C}}^{ah}$. $\mathcal{A}$’s goal is to get the participants’ affiliation information. The adversary should be able to distinguish between two executions in order to learn the affiliations. The two executions are; (a) where ${\mathcal{C}}^{ah}$ normally executes the protocols as legitimate participants, and (b) where it interacts with a simulator.

During the initialization phase, the challenger creates an organization that includes m groups. Specifically, it generates the group secret keys, the group public keys, and the members’ certificates for each group. Then the challenger selects corrupted players and gives their certificates to $\mathcal{A}$. Afterward, the challenger executes $\mathtt{RevokeUser}$, i.e., prune the corrupted members and update $\mathcal{RL}$.

$\mathcal{A}$ issues a polynomial number of $\mathtt{Start}({\Pi }_i^t,G$), $\mathtt{Send}({\Pi }_i^t,\Delta$), $\mathtt{Ekey}.\mathtt{Reveal}({\Pi }_i^t$), $\mathtt{Dkey}.\mathtt{Reveal}({\Pi }_i^t$), and $\mathtt{Corrupt}(U_i$) queries adaptively. The challenger uniformly chooses a bit $b\in \{0,1\}$ randomly. If b equals 1, $C^{ah}$ replies as legitimate players, honestly. If b equals 0, $C^{ah}$ answers the queries using the simulator. If b equals 0, $C^{ah}$ replies to the queries as below.

• $\mathtt{Start}({\Pi }_i^t$) and $\mathtt{Send}({\Pi }_i^t,\Delta$) queries: After receiving the queries, $C^{ah}$ replies with the information generated by the simulator. If $\Delta$ is incorrect, $C^{ah}$ sets $reject$ as $True$, then returns $null$.
• $\mathtt{Ekey}.\mathtt{Reveal}({\Pi }_i^t$): If $reject\ne True$, output $eke{y}_i^t$; otherwise, return $null$.
• $\mathtt{Dkey}.\mathtt{Reveal}({\Pi }_i^t$): If $reject\ne True$, output $dke{y}_i^t$; otherwise, return $null$.
• $\mathtt{Corrupt}(U_i$): ${\mathcal{C}}^{ah}$ sends ${\mathtt{cert}}_i$ to $\mathcal{A}$ and updates the list $\mathcal{RL}$.

At last, a bit $b^{\prime }$ is returned by $\mathcal{A}$. If $b^{\prime }=b$, the adversary $\mathcal{A}$ wins the game. We define $\mathcal{A}$’s advantage as

$${\mathtt{Adv}}^{ah}\left(\mathcal{A}\right)=|2·\mathrm{Pr}[b=b^{\prime }]-1|.$$

Definition 5. 

If for any PPT adversary $\mathcal{A}$, ${\mathtt{Adv}}^{ah}\left(\mathcal{A}\right)$ is negligible, then the GSH protocol holds AH property.

4.3. Security Model

Similar to the previous models, this game is also played between $\mathcal{A}$ (an adversary) and $\mathcal{C}$ (a challenger). In this model, $\mathcal{A}$ has complete control of the communication channel. Moreover, it can corrupt any number of players, including the ones in the test session. $\mathcal{A}$ receives the challenge and then sends start and reveal queries (except for tested instance or any instance partnered with it). We show that $\mathcal{A}$ cannot distinguish a ciphertext that is encrypted by the public key of any fresh instance from a random string. The initialization process is omitted here since it is similar to the privacy model.

$\mathcal{C}$ responds to $\mathcal{A}$’s queries as follows:

• $\mathtt{Start}({\Pi }_i^t$) and $\mathtt{Send}({\Pi }_i^t,\Delta$): Return the answer output by the instance ${\Pi }_i^t$. If $\Delta$ is incorrect, output null.
• $\mathtt{Ekey}.\mathtt{Reveal}({\Pi }_i^t$): Output ekey${}_i^t$.
• $\mathtt{Dkey}.\mathtt{Reveal}({\Pi }_i^t$): Output dkey${}_i^t$.
• $\mathtt{Test}({\Pi }_i^t$): The query can be performed only once. Note that ${\Pi }_i^t$ should be fresh. $\mathcal{A}$ selects $(m_0,m_1)$ where $\left(\right|m_0|=|m_1\left|\right)$, and sends $(m_0,m_1)$ to the challenger $\mathcal{C}$. Then $\mathcal{C}$ picks randomly $b\in \{0,1\}$ uniformly, encrypts $m_b$ using ekey${}_i^t$, and sends $\mathcal{A}$ the ciphertext.
• $\mathtt{Corrupt}(U_i$): $\mathcal{C}$ updates the list $\mathcal{RL}$, and sends $U_i$’s certificate to $\mathcal{A}$. Even if $\mathcal{A}$ has queried Test(${\Pi }_j^s$), it can still corrupt $U_j$.

At last, a bit $b^{\prime }$ is returned by $\mathcal{A}$. Here, $\mathcal{A}$ wins with an advantage as

$$Adv\left(\mathcal{A}\right)=|2·\mathrm{Pr}[b=b^{\prime }]-1|.$$

In order to describe perfect forward security, Freshness is defined below.

Definition 6. 

If $\mathcal{A}$ has not sent any of the queries, i.e., $\mathtt{Corrupt}\left(U_i\right)$, $\mathtt{Corrupt}\left(U_j\right)$, $\mathtt{Dkey}.\mathtt{Reveal}\left({\Pi }_i^t\right)$, or $\mathtt{Dkey}.\mathtt{Reveal}({\Pi }_j^s)$, where ${\Pi }_i^t$ is partnered with ${\Pi }_j^s$, we say the instance ${\Pi }_i^t$ is fresh.

Definition 7. 

If for any PPT adversary $\mathcal{A}$, $\mathrm{Adv}\left(\mathcal{A}\right)$ is negligible in the above game, we say the GSH protocol is secure against semantically indistinguishable chosen plaintext attacks (IND-CPA).

5. The Proposed Scheme

This section gives the details of the proposed scheme. Following it, a detailed security analysis and additional features will be given. Our scheme includes the $\mathtt{Setup}$, $\mathtt{CreateOrganization}$, $\mathtt{AddUser}$, and $\mathtt{Handshake}$ algorithms:

• $\mathtt{Setup}$: Choose a bilinear group pair $({\mathbb{G}}_1,{\mathbb{G}}_2)$ of prime order p with a computable isomorphism $\psi$, where $g_1=\psi \left(g_2\right)$. $g_1$ and $g_2$ are the respective generators of ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$. For bilinear map $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, the Strong Diffie–Hellman (SDH) assumption holds on $({\mathbb{G}}_1,{\mathbb{G}}_2)$, and the Linear assumption holds on ${\mathbb{G}}_1$. Also select two hash functions $H_1:{\{0,1\}}^{*}\to {\mathbb{G}}_1$, and $H_2={\mathbb{G}}_2\to {\{0,1\}}^{\tau }$.
• $\mathtt{CreateOrganization}$: Suppose a secret organization created by an organization authority (OA) includes n departments (groups), and all of them support the SDH+ group signature scheme. The i-th group is managed by a group manager $G{M}_i$. OA generates $gpk$, $gp{k}_i$, ${\gamma }_i$, and $({\xi }_i,{\zeta }_i)$, and sends them to $G{M}_i$ through a secure authenticated channel, where $\{gpk,l\}$$={\{gp{k}_i,l_i\}}_{\{i\in [n\left]\right\}}$ are the lists of the n group public keys and sizes, $gp{k}_i=(g_{1i},g_{2i},w_i,d_i,h_i,u_i,v_i)$ and its issuer secret key is ${\gamma }_i$ and opener secret key is $({\xi }_i,{\zeta }_i)$.
• $\mathtt{AddUser}$: $G{M}_i$ adds the j-th member to the i-th group $((i,j)\in (\left[n\right],\left[l_i\right]))$ and sends the membership secret key $msk(i,j)$, $gpk$, and the registration value $re{g}_{(i,j)}$ to it through a private authenticated channel.
  $\mathtt{RevokeUser}$: To remove a user $U_i$, the GMs add $I{D}_i$ into the certificate revocation list.
• $\mathtt{Handshake}$: Executed by some set $\mathcal{U}=\{U_1,\dots ,U_{n^{\prime }}\}$ of players. Let S and D be empty sets (initially) of integers. Let $W=\{1,\dots ,n^{\prime }\}$. In the first round, $U_i$ broadcasts $M_i$ to other participants. In the second round, $U_i$ broadcasts $(c_i,{\mathrm{sid}}_i,si{g}_i(c_i,{\mathrm{sid}}_i)$). The details are shown as follows:
  Round 1:

  1.

  $U_i$ selects $r_i\in {\mathbb{Z}}_p^{*}$ and $T_i\in {\mathbb{G}}_1\setminus 1$ randomly, then computes $P_i=g^{-r_i}$ and $Q_i=\widehat{e}(T_i,g)$.

  2.

  For $j\in [1,n^{\prime }]$, $U_i$ computes $f_j=H_1\left(j\right)$ and $z_{i,j}=T_i{f}_j^{r_i}$.

  3.

  Set $m_i=(P_i,Q_i,{\left\{z_{i,j}\right\}}_{j\in [1,n^{\prime }],j\ne i},{\mathrm{sid}}_i$).

  4.

  To sign $m_i$ with respect to $gpk$, $U_i$ computes a ring group signature ${\sigma }_i=({\mathbf{e}}_{i,0},$$\dots ,{\mathbf{e}}_{i,n-1},c_{i,0},{\mathbf{s}}_{i,0},\dots ,{\mathbf{s}}_{i,n-1}).$ Moreover, $U_i$ generates an ID-based signature $si{g}_i\left(m_i\right)$ on $m_i$ using its pseudo-ID $I{D}_i$. We assume all the participants are registered with the same Private key Generator.

  5.

  $U_i$ broadcasts $M_i=(m_i,I{D}_k,si{g}_i\left(m_i\right),{\mathbf{e}}_{i,0},\dots ,{\mathbf{e}}_{i,n-1},{\mathbf{s}}_{i,0},\dots ,{\mathbf{s}}_{i,n-1})$. Here $c_{i,0}$ is not included in $M_i$.

  Round 2:

  1.

  If any two received messages include the same $I{D}_j$, $U_i$ aborts. For $j\in [1,n^{\prime }]$ and $j\ne i$ there exists an invalid ${\mathrm{sig}}_j\left(m_j\right)$, then $W=W\setminus j$. For any $j\in W$ there exists $I{D}_j$ that is on the certification revocation list, then $W=W\setminus j$. $U_i$ calculates the encryption key $(P^{\prime },Q^{\prime })$, where $P^{\prime }={\prod }_{j\in W}{P}_j$, $Q^{\prime }={\prod }_{j\in W}{Q}_j$.

  2.

  $U_i$ uses $(P^{\prime },Q^{\prime })$ to encrypt $c_{i,0}$ and generates the ciphertext $c_i=(c_{1,i},c_{2,i},c_{3,i})$, where $t_i\leftarrow {\mathbb{Z}}_p,c_{1,i}=g^{t_i},c_{2,i}={P^{\prime }}^{ti},c_{3,i}=c_{i,0}\oplus H_2\left({Q^{\prime }}^{ti}\right)$.

  3.

  Set ${\mathrm{sid}}_i=[M_1\left|\right|\dots \left|\right|M_{n^{\prime }}]$. Broadcast $(c_i,{\mathrm{sid}}_i,si{g}_i(c_i,{\mathrm{sid}}_i)$).

  4.

  $U_i$ computes $z_i^{\prime }=T_i{f_i}^{r_i}{\prod }_{j\in W,j\ne i}{z}_{j,i}$, and uses $z_i^{\prime }$ to decrypt ciphers. Since $Q^{\prime }=\widehat{e}(z_i,g)\widehat{e}(f_i,P^{\prime })$, $U_i$ can compute $c_{j,0}=c_{3,j}\oplus H_2\left(\widehat{e}(z_i^{\prime },c_{1,j})\widehat{e}(f_i,c_{2,j})\right)$.

  5.

  To verify the ring group signature ${\sigma }_j$, a verifier runs $V_{RGS}(m_j,gpk,{\sigma }_j)$ to check whether $c_{j,0}^{\prime }=c_{j,0}$ holds. If so, ${\sigma }_j$ is valid. If ${\sigma }_j$ is invalid, set $S=S\cup \left\{j\right\}$. Hence, $U_i$ can deduce that $U_j$ ($j\in S$) is an illegal participant.

  6.

  Let $S^{\prime }=W\setminus S$. If $|S^{\prime }|\ge 3$ then $D\subset S^{\prime }$ where $\left|D\right|\ge 2$. $U_{j,j\in D}$ generates $(P,Q)$ and computes the decryption key $z_i$, where

  $$P=\prod _{j\in D}{P}_j,Q=\prod _{j\in D}{Q}_j,and$$

  $$z_i=T_i{f_i}^{r_i}\prod _{j\in D,j\ne i}{z}_{j,i}=(\prod _{j\in D}{X}_j)f_i^{{\sum }_{j\in D}{r}_j}.$$

  −

  Encryption. $U_i$ uses $(P,Q)$ to encrypt $m\in {\{0,1\}}^{\tau }$ and obtains the ciphertext $c=(c_1,c_2,c_3)$, where $t\leftarrow {\mathbb{Z}}_p,c_1=g^t,c_2=P^t,c_3=m\oplus H_2\left(Q^t\right)$.

  −

  Decryption. $U_i$ uses $z_i$ to decrypt ciphers. Since $Q=\widehat{e}(z_i,g)\widehat{e}(f_i,P)$, $U_i$ can compute $m=c_3\oplus H_2\left(\widehat{e}(z_i,c_1)\widehat{e}(f_i,c_2)\right)$. Otherwise, $U_i$ rejects.

  Remark. If $gpk$ is leaked, the dishonest participants can verify the ring group signature. However, the private key generator can trace them. In order to make the scheme easier to understand, we omit the generation algorithm and the verification algorithm $V_{RGS}(m_j,gpk,{\sigma }_j)$ of the ring group signature and the ID-based signature. In order to make the scheme easy to understand, we assume that $U_i$ uses $gpk$ to generate the ring group signature. In fact, if $U_i$ plans to hide itself in part of the groups, it will choose the corresponding group public keys to generate the ring group signature.

5.1. Security Analysis

Theorem 1. 

The proposed GSH scheme satisfies the AH property.

Proof of Theorem 1. 

In order to show that our scheme holds an Affiliation-Hiding property, two games G0 (the real game) and G1 (a simulation) are designed.

To prove that $\mathcal{A}$ cannot distinguish between G0 and G1, G1 is defined as follows.

Simulation. ${\mathcal{C}}^{ah}$ maintains list $U^{list}$ which is initially empty. Assume $W=\{1,\dots ,n\}\setminus \left\{i\right\}$, D is a set of integers and originally empty, and pid${}_i^t$=$\{U_1,\dots ,U_n\}$.

• $\mathtt{Start}({\Pi }_i^t$): $C^{ah}$ generates $M_i=(m_i,I{D}_k,si{g}_i\left(m_i\right)$ by normally executing the protocol, and generates ${\mathbf{e}}_{i,0},\dots ,{\mathbf{e}}_{i,n-1},{\mathbf{s}}_{i,0},\dots ,{\mathbf{s}}_{i,n-1}$ randomly.
• $\mathtt{Send}({\Pi }_i^t,\Delta$): $C^{ah}$ responds to the query as follows:

  1.

  If any two received messages include the same $I{D}_j$, $C^{ah}$ aborts. For $j\in [1,n^{\prime }]$ and $j\ne i$, if there exists ${\mathrm{sig}}_j\left(m_j\right)$ as invalid, $W=W\setminus j$. For any $j\in W$, if there exists $I{D}_j$ that is on the certification revocation list, $W=W\setminus j$. $C^{ah}$ calculates $(P^{\prime },Q^{\prime })$, where $P^{\prime }={\prod }_{j\in W}{P}_j$, $Q^{\prime }={\prod }_{j\in W}{Q}_j$.

  2.

  $C^{ah}$ generates randomly $c_{i,0}$ and $C^{ah}$ uses $(P^{\prime },Q^{\prime })$ to encrypt $c_{i,0}$ and generates the ciphertext $c_i=(c_{1,i},c_{2,i},c_{3,i})$, where $t_i\leftarrow {\mathbb{Z}}_p,c_{1,i}=g^{t_i},c_{2,i}={P^{\prime }}^{ti},c_{3,i}=c_{i,0}\oplus H_2\left({Q^{\prime }}^{ti}\right)$.

  3.

  Set ${\mathrm{sid}}_i=[M_1\left|\right|\dots \left|\right|M_{n^{\prime }}]$. Broadcast $(c_i,{\mathrm{sid}}_i,si{g}_i(c_i,{\mathrm{sid}}_i)$).

• $\mathtt{Ekey}.\mathtt{Reveal}({\Pi }_i^t$): If reject $\ne True$, ${\mathcal{C}}^{ah}$ computes $P={\prod }_{l\in {\mathcal{D}}^{\prime }}^n{P}_l$, $Q={\prod }_{l\in {\mathcal{D}}^{\prime }}^n{Q}_l$, and returns $(P,Q)$; otherwise, it returns $null$.
• $\mathtt{Dkey}.\mathtt{Reveal}({\Pi }_i^t$): If reject $\ne True$, ${\mathcal{C}}^{ah}$ recovers the corresponding $z_{i,i}$ corresponding to ${\mathrm{sid}}_i^t$ from $U^{list}$, then returns $d_i={\prod }_{l\in {\mathcal{D}}^{\prime }}^n{z}_{l,i}$; otherwise, it outputs $null$.
• $\mathtt{Corrupt}({\mathcal{U}}_i$): ${\mathcal{C}}^{ah}$ gives ${\mathrm{cert}}_i$ to $\mathcal{A}$. Then, ${\mathcal{C}}^{ah}$ inserts $i{d}_i$ to $\mathcal{RL}$.

The difference between G0 and G1 is that the ring group signature is invalid in G1. Therefore, the adversary can distinguish between G0 and G1 if it can determine that the ring group signature in G0 is valid or if the ring group signature in G1 is valid. The adversary does not have $gpk$, so it can not verify the signatures. Moreover, $c_{i,0}$ is encrypted by the asymmetric encryption algorithm. Therefore, the adversary cannot get all the elements of the ring group signature. Let the event $\mathcal{E}$ denote the adversary guesses the group public key $gpk$ and decrypts the ciphertext for $c_{i,0}$ successfully. We can observe that event $\mathcal{E}$ occurs with negligible probability. Therefore, the adversary cannot distinguish between G0 and G1. That is, the proposed protocol holds affiliation hiding property. □

Theorem 2. 

Suppose there is an adversary $\mathcal{A}$ who asks at most $q_{H_1}$$H_1$-queries, $q_{H_2}$$H_2$-queries, $q_{s_1}$ Start-queries, $q_{s_2}$ Send-queries, $q_c$ Corrupt-queries, $q_E$ Ekey.Reveal-queries, and $q_D$ Dkey.Reveal-queries. Moreover, suppose that it wins the game defined in the security model with $\mathrm{Adv}\left(\mathcal{A}\right)$. Then there exists an algorithm to break the n-BDHE assumption with an advantage

$$\frac{(1-n{\mathrm{Adv}}_{rgs}\left(\mathcal{A}\right))}{e(q_D+n)q_{H_2}}\mathtt{Adv}\left(\mathcal{A}\right).$$

Proof of Theorem 2. 

The challenger $\mathcal{C}$ aims to solve the n-BDHE problem, i.e., $(\alpha ,\beta ,{\alpha }_1,\dots ,{\alpha }_n,$${\alpha }_{n+2},\dots ,{\alpha }_{2n})$. $H_1$ and $H_2$ are treated as random oracles. If $\mathcal{C}$ uses $\mathcal{A}$ to break the protocol with $\mathtt{Adv}\left(\mathcal{A}\right)$, then it can break n-BDHE assumption with $\frac{(1-n{\mathrm{Adv}}_{rgs}\left(\mathcal{A}\right))}{e(q_D+n)q_{H_2}}\mathtt{Adv}\left(\mathcal{A}\right)$. We assume that pid${}_i^t$=$\{U_1,\dots ,U_n\}$. We omit the details of the proof since they are similar to that of Theorem 4.1 in [7]. □

5.2. Additional Features

Besides affiliation hiding and perfect forward security, the proposed scheme also holds traceability, impersonation resistance property, and detectability. The honest participants can detect invalid players by verifying the ring group signatures. If the ring group signatures are invalid, PKG can trace the real identity of the invalid players by using its pseudo-ID. The malicious players cannot impersonate others since they cannot forge others’ ring group signatures.

The proposed scheme is efficient. Suppose $\left|W\right|=k_1$, $\left|D\right|=k_2$, “P” represents Pairing, “$M_1$” and “$M_2$” represent multiplication in ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$, respectively, and “E” represents exponentiation in ${\mathbb{G}}_1$. Then, ${\mathcal{U}}_i$ needs $1P+k_{1}E+(k_1-1)M_1$ to perform the first round. ${\mathcal{U}}_i$ requires $2k_1{M}_1+3E+2P+(k_1-1)M_2$ to execute the second round. After running the protocol, ${\mathcal{U}}_i$ needs $(k_2-1)M_1+(k_2-1)M_2$ to compute the encryption keys and $k_2{M}_1+1E$ to compute the decryption keys.

6. Conclusions

Group member authentication is a challenging task in group communication. We design a novel protocol with multiple groups based on ring group signatures in this work. Only a legitimate member can prove that they belong to a set of legitimate affiliations, but which affiliation they belong to is not leaked. After executing the scheme, the honest players can compute a public encryption key and its decryption key. In the proposed scheme, the honest players can find the illegitimate participants, i.e., the scheme captures detectability. We proved that the scheme exhibits affiliation-hiding and perfect forward secrecy.